From c41e4b76cdf91030b229906bc25d19f463adae89 Mon Sep 17 00:00:00 2001 From: Sylvestre Ledru Date: Mon, 23 Nov 2020 21:43:13 +0100 Subject: [PATCH 01/59] add python 3.9 support and remove an old patch --- debian/patches/python-3.9.patch | 74 ++++++++++++++++++++++++++++ debian/patches/roundcude-update.diff | 11 ----- debian/patches/series | 2 +- 3 files changed, 75 insertions(+), 12 deletions(-) create mode 100644 debian/patches/python-3.9.patch delete mode 100644 debian/patches/roundcude-update.diff diff --git a/debian/patches/python-3.9.patch b/debian/patches/python-3.9.patch new file mode 100644 index 00000000..1535abed --- /dev/null +++ b/debian/patches/python-3.9.patch @@ -0,0 +1,74 @@ +Index: fail2ban/fail2ban/server/jailthread.py +=================================================================== +--- fail2ban.orig/fail2ban/server/jailthread.py ++++ fail2ban/fail2ban/server/jailthread.py +@@ -120,3 +120,6 @@ class JailThread(Thread): + ## python 2.x replace binding of private __bootstrap method: + if sys.version_info < (3,): # pragma: 3.x no cover + JailThread._Thread__bootstrap = JailThread._JailThread__bootstrap ++## python 3.9, restore isAlive method: ++elif not hasattr(JailThread, 'isAlive'): # pragma: 2.x no cover ++ JailThread.isAlive = JailThread.is_alive +Index: fail2ban/fail2ban/tests/sockettestcase.py +=================================================================== +--- fail2ban.orig/fail2ban/tests/sockettestcase.py ++++ fail2ban/fail2ban/tests/sockettestcase.py +@@ -83,11 +83,11 @@ class Socket(LogCaptureTestCase): + serverThread.start() + self.assertTrue(Utils.wait_for(self.server.isActive, unittest.F2B.maxWaitTime(10))) + return serverThread +- ++ + def _stopServerThread(self): + serverThread = self.serverThread + # wait for end of thread : +- Utils.wait_for(lambda: not serverThread.isAlive() ++ Utils.wait_for(lambda: not serverThread.is_alive() + or serverThread.join(Utils.DEFAULT_SLEEP_TIME), unittest.F2B.maxWaitTime(10)) + self.serverThread = None + +@@ -98,7 +98,7 @@ class Socket(LogCaptureTestCase): + self.server.close() + # wait for end of thread : + self._stopServerThread() +- self.assertFalse(serverThread.isAlive()) ++ self.assertFalse(serverThread.is_alive()) + # clean : + self.server.stop() + self.assertFalse(self.server.isActive()) +@@ -139,7 +139,7 @@ class Socket(LogCaptureTestCase): + self.server.stop() + # wait for end of thread : + self._stopServerThread() +- self.assertFalse(serverThread.isAlive()) ++ self.assertFalse(serverThread.is_alive()) + self.assertFalse(self.server.isActive()) + self.assertFalse(os.path.exists(self.sock_name)) + +@@ -149,7 +149,7 @@ class Socket(LogCaptureTestCase): + client = Utils.wait_for(self._serverSocket, 2) + # unexpected stop during message body: + testMessage = ["A", "test", "message", [protocol.CSPROTO.END]] +- ++ + org_handler = RequestHandler.found_terminator + try: + RequestHandler.found_terminator = lambda self: self.close() +@@ -180,7 +180,7 @@ class Socket(LogCaptureTestCase): + self.server.stop() + # wait for end of thread : + self._stopServerThread() +- self.assertFalse(serverThread.isAlive()) ++ self.assertFalse(serverThread.is_alive()) + + def testLoopErrors(self): + # replace poll handler to produce error in loop-cycle: +@@ -216,7 +216,7 @@ class Socket(LogCaptureTestCase): + self.server.stop() + # wait for end of thread : + self._stopServerThread() +- self.assertFalse(serverThread.isAlive()) ++ self.assertFalse(serverThread.is_alive()) + self.assertFalse(self.server.isActive()) + self.assertFalse(os.path.exists(self.sock_name)) + diff --git a/debian/patches/roundcude-update.diff b/debian/patches/roundcude-update.diff deleted file mode 100644 index 3304d0bc..00000000 --- a/debian/patches/roundcude-update.diff +++ /dev/null @@ -1,11 +0,0 @@ ---- fail2ban-0.11.1.orig/config/filter.d/roundcube-auth.conf -+++ fail2ban-0.11.1/config/filter.d/roundcube-auth.conf -@@ -18,7 +18,7 @@ prefregex = ^\s*(\[\])?(%(__hostname)s\s - failregex = ^(?:FAILED login|Login failed) for .* from (?:(?:\([^\)]*\))?\. (?:(?! from ).)*(?: user=(?P=user))? in \S+\.php on line \d+ \(\S+ \S+\))?$ - ^(?:<[\w]+> )?Failed login for .* from in session \w+( \(error: \d\))?$ - --ignoreregex = -+ignoreregex = Could not connect to .* Connection refused - - journalmatch = SYSLOG_IDENTIFIER=roundcube - diff --git a/debian/patches/series b/debian/patches/series index 4fbf4140..6fb515d1 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -5,4 +5,4 @@ deb_manpages_reportbug deb_no_iptables_service python3-test-suite.diff no-python-user.diff -roundcude-update.diff +python-3.9.patch From 83aba576b472d85f3447a0e45716612c2f1a8c96 Mon Sep 17 00:00:00 2001 From: Sylvestre Ledru Date: Mon, 23 Nov 2020 21:47:07 +0100 Subject: [PATCH 02/59] fix changelog --- debian/changelog | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/debian/changelog b/debian/changelog index 88ba333a..2b6d6182 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,5 +1,6 @@ -fail2ban (0.11.1-4) UNRELEASED; urgency=medium +fail2ban (0.11.1-3) unstable; urgency=medium + [ Ondřej Nový ] * Use debhelper-compat instead of debian/compat. * d/control: Update Maintainer field with new Debian Python Team contact address. @@ -7,14 +8,12 @@ fail2ban (0.11.1-4) UNRELEASED; urgency=medium layout. * d/watch: Use https protocol. - -- Ondřej Nový Thu, 24 Sep 2020 08:42:58 +0200 - -fail2ban (0.11.1-3) unstable; urgency=medium - + [ Sylvestre Ledru ] + * Fix the python 3.9 support (Closes: #975565) * remove deprecated package dh-systemd from the build deps (Closes: #958625) - -- + -- Sylvestre Ledru Mon, 23 Nov 2020 21:45:34 +0100 fail2ban (0.11.1-2) unstable; urgency=medium From 0083db7e2bd33b4fea4b922b26120968bd264175 Mon Sep 17 00:00:00 2001 From: Sylvestre Ledru Date: Mon, 23 Nov 2020 21:47:27 +0100 Subject: [PATCH 03/59] Fix day-of-week for changelog entry 0.5.4-2. Changes-By: lintian-brush Fixes: lintian: debian-changelog-has-wrong-day-of-week See-also: https://lintian.debian.org/tags/debian-changelog-has-wrong-day-of-week.html --- debian/changelog | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index 2b6d6182..dfab8307 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +fail2ban (0.11.1-4) UNRELEASED; urgency=medium + + * Fix day-of-week for changelog entry 0.5.4-2. + + -- Sylvestre Ledru Mon, 23 Nov 2020 21:47:27 -0000 + fail2ban (0.11.1-3) unstable; urgency=medium [ Ondřej Nový ] @@ -1306,7 +1312,7 @@ fail2ban (0.5.4-2) unstable; urgency=low * Added a keyword
in parsing of the subject and the body of an email sent out by fail2ban (closes: #330311) - -- Yaroslav Halchenko Wed, 27 Sep 2005 08:09:06 -0400 + -- Yaroslav Halchenko Tue, 27 Sep 2005 08:09:06 -0400 fail2ban (0.5.4-1) unstable; urgency=low From 9c3b37313b57a5e29423083b9c8f0fcd61054668 Mon Sep 17 00:00:00 2001 From: Sylvestre Ledru Date: Mon, 23 Nov 2020 21:47:38 +0100 Subject: [PATCH 04/59] Update watch file format version to 4. Changes-By: lintian-brush Fixes: lintian: older-debian-watch-file-standard See-also: https://lintian.debian.org/tags/older-debian-watch-file-standard.html --- debian/changelog | 1 + debian/watch | 8 ++------ 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/debian/changelog b/debian/changelog index dfab8307..15d83269 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,7 @@ fail2ban (0.11.1-4) UNRELEASED; urgency=medium * Fix day-of-week for changelog entry 0.5.4-2. + * Update watch file format version to 4. -- Sylvestre Ledru Mon, 23 Nov 2020 21:47:27 -0000 diff --git a/debian/watch b/debian/watch index 07fe1217..2267a25f 100644 --- a/debian/watch +++ b/debian/watch @@ -1,6 +1,2 @@ -# watch control file for uscan -# Run the "uscan" command to check for upstream updates and more. -# Site Directory Pattern Version Script -version=3 -opts="filenamemangle=s/.*\/(.*)/fail2ban-$1\.tar\.gz/" \ - https://github.com/fail2ban/fail2ban/tags .*archive/(\d[\d\.]+).tar.gz +version=4 +opts=filenamemangle=s/.*\/(.*)/fail2ban-$1\.tar\.gz/ https://github.com/fail2ban/fail2ban/tags .*archive/(\d[\d\.]+).tar.gz From 018a8544f49696a3020422fd6e3c53ba514e7de0 Mon Sep 17 00:00:00 2001 From: Sylvestre Ledru Date: Mon, 23 Nov 2020 21:47:44 +0100 Subject: [PATCH 05/59] Bump debhelper from deprecated 9 to 12. Changes-By: lintian-brush Fixes: lintian: package-uses-deprecated-debhelper-compat-version See-also: https://lintian.debian.org/tags/package-uses-deprecated-debhelper-compat-version.html --- debian/changelog | 1 + debian/control | 3 +-- debian/rules | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/debian/changelog b/debian/changelog index 15d83269..c395359a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,6 +2,7 @@ fail2ban (0.11.1-4) UNRELEASED; urgency=medium * Fix day-of-week for changelog entry 0.5.4-2. * Update watch file format version to 4. + * Bump debhelper from deprecated 9 to 12. -- Sylvestre Ledru Mon, 23 Nov 2020 21:47:27 -0000 diff --git a/debian/control b/debian/control index b0c53bd5..de4579e6 100644 --- a/debian/control +++ b/debian/control @@ -5,7 +5,7 @@ Maintainer: Debian Python Team Uploaders: Yaroslav Halchenko , Sylvestre Ledru Build-Depends: - debhelper-compat (= 9) + debhelper-compat (= 12) , debhelper (>= 9.20160709) , dh-python , python3 @@ -18,7 +18,6 @@ Vcs-Git: https://salsa.debian.org/python-team/packages/fail2ban.git Vcs-Browser: https://salsa.debian.org/python-team/packages/fail2ban Standards-Version: 4.4.1 - Package: fail2ban Architecture: all Depends: ${python3:Depends}, ${misc:Depends}, lsb-base (>=2.0-7) diff --git a/debian/rules b/debian/rules index 4ff3c39b..28db2250 100755 --- a/debian/rules +++ b/debian/rules @@ -12,7 +12,7 @@ export DH_VERBOSE=1 export PYBUILD_DISABLE_python2=1 %: - dh $@ --with python3,systemd --buildsystem pybuild + dh $@ --with python3 --buildsystem pybuild DESTDIR=$(CURDIR)/debian/fail2ban PYVERSION=$(shell py3versions -dv) From 79df701fcc67c1a0fead529724ed6cd1a76eab18 Mon Sep 17 00:00:00 2001 From: Sylvestre Ledru Date: Mon, 23 Nov 2020 21:47:50 +0100 Subject: [PATCH 06/59] Update standards version to 4.5.0, no changes needed. Changes-By: lintian-brush Fixes: lintian: out-of-date-standards-version See-also: https://lintian.debian.org/tags/out-of-date-standards-version.html --- debian/changelog | 1 + debian/control | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index c395359a..71017272 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,6 +3,7 @@ fail2ban (0.11.1-4) UNRELEASED; urgency=medium * Fix day-of-week for changelog entry 0.5.4-2. * Update watch file format version to 4. * Bump debhelper from deprecated 9 to 12. + * Update standards version to 4.5.0, no changes needed. -- Sylvestre Ledru Mon, 23 Nov 2020 21:47:27 -0000 diff --git a/debian/control b/debian/control index de4579e6..5971f8e0 100644 --- a/debian/control +++ b/debian/control @@ -16,7 +16,7 @@ Build-Depends: Homepage: http://www.fail2ban.org Vcs-Git: https://salsa.debian.org/python-team/packages/fail2ban.git Vcs-Browser: https://salsa.debian.org/python-team/packages/fail2ban -Standards-Version: 4.4.1 +Standards-Version: 4.5.0 Package: fail2ban Architecture: all From 5d0dc51750dd284fe65abd3b702d471a4c7606d4 Mon Sep 17 00:00:00 2001 From: Sylvestre Ledru Date: Mon, 23 Nov 2020 21:54:40 +0100 Subject: [PATCH 07/59] fix changelog --- debian/changelog | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/debian/changelog b/debian/changelog index 71017272..8d2f0a3a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,12 +1,3 @@ -fail2ban (0.11.1-4) UNRELEASED; urgency=medium - - * Fix day-of-week for changelog entry 0.5.4-2. - * Update watch file format version to 4. - * Bump debhelper from deprecated 9 to 12. - * Update standards version to 4.5.0, no changes needed. - - -- Sylvestre Ledru Mon, 23 Nov 2020 21:47:27 -0000 - fail2ban (0.11.1-3) unstable; urgency=medium [ Ondřej Nový ] @@ -21,6 +12,10 @@ fail2ban (0.11.1-3) unstable; urgency=medium * Fix the python 3.9 support (Closes: #975565) * remove deprecated package dh-systemd from the build deps (Closes: #958625) + * Fix day-of-week for changelog entry 0.5.4-2. + * Update watch file format version to 4. + * Bump debhelper from deprecated 9 to 12. + * Update standards version to 4.5.0, no changes needed. -- Sylvestre Ledru Mon, 23 Nov 2020 21:45:34 +0100 From dc3dd4770123367bc6965fce181f99185da03052 Mon Sep 17 00:00:00 2001 From: Sylvestre Ledru Date: Tue, 24 Nov 2020 17:13:14 +0100 Subject: [PATCH 08/59] * Fix the copyright file (Closes: #975644) * https for the Website field in Debian control --- debian/changelog | 7 +++++++ debian/control | 2 +- debian/copyright | 10 +++++----- 3 files changed, 13 insertions(+), 6 deletions(-) diff --git a/debian/changelog b/debian/changelog index 8d2f0a3a..eb312dbb 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +fail2ban (0.11.1-4) unstable; urgency=medium + + * Fix the copyright file (Closes: #975644) + * https for the Website field in Debian control + + -- Sylvestre Ledru Tue, 24 Nov 2020 17:13:04 +0100 + fail2ban (0.11.1-3) unstable; urgency=medium [ Ondřej Nový ] diff --git a/debian/control b/debian/control index 5971f8e0..f92faa7f 100644 --- a/debian/control +++ b/debian/control @@ -13,7 +13,7 @@ Build-Depends: , python3-pyinotify , sqlite3 , 2to3 -Homepage: http://www.fail2ban.org +Homepage: https://www.fail2ban.org Vcs-Git: https://salsa.debian.org/python-team/packages/fail2ban.git Vcs-Browser: https://salsa.debian.org/python-team/packages/fail2ban Standards-Version: 4.5.0 diff --git a/debian/copyright b/debian/copyright index 99d64846..3380fb94 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,12 +1,13 @@ This package was originally debianized by Yaroslav Halchenko on Mon Jul 4 14:41:34 HST 2005 -It was downloaded from http://www.sourceforge.net/projects/fail2ban +It was downloaded from https://www.fail2ban.org -Author: Cyril Jaquier: - http://fail2ban.sourceforge.net +Original author: Cyril Jaquier: + https://www.fail2ban.org Copyright: 2004-2009 Cyril Jaquier + many others since then This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -26,6 +27,5 @@ MA 02110-1301, USA. On Debian systems, the complete text of the GNU General Public License, version 2, can be found in /usr/share/common-licenses/GPL-2. -The Debian packaging is (C) 2006-2011, Yaroslav Halchenko +The Debian packaging is (C) 2006-2018, Yaroslav Halchenko and is licensed under the GPL, see above. - From 55508fe5c0aaf7c5083cb8a23088c9705f6a1db5 Mon Sep 17 00:00:00 2001 From: Sylvestre Ledru Date: Tue, 24 Nov 2020 18:25:26 +0100 Subject: [PATCH 09/59] add back the roundcube patch --- debian/patches/roundcube.diff | 11 +++++++++++ debian/patches/series | 1 + 2 files changed, 12 insertions(+) create mode 100644 debian/patches/roundcube.diff diff --git a/debian/patches/roundcube.diff b/debian/patches/roundcube.diff new file mode 100644 index 00000000..3304d0bc --- /dev/null +++ b/debian/patches/roundcube.diff @@ -0,0 +1,11 @@ +--- fail2ban-0.11.1.orig/config/filter.d/roundcube-auth.conf ++++ fail2ban-0.11.1/config/filter.d/roundcube-auth.conf +@@ -18,7 +18,7 @@ prefregex = ^\s*(\[\])?(%(__hostname)s\s + failregex = ^(?:FAILED login|Login failed) for .* from (?:(?:\([^\)]*\))?\. (?:(?! from ).)*(?: user=(?P=user))? in \S+\.php on line \d+ \(\S+ \S+\))?$ + ^(?:<[\w]+> )?Failed login for .* from in session \w+( \(error: \d\))?$ + +-ignoreregex = ++ignoreregex = Could not connect to .* Connection refused + + journalmatch = SYSLOG_IDENTIFIER=roundcube + diff --git a/debian/patches/series b/debian/patches/series index 6fb515d1..16ab09e3 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -6,3 +6,4 @@ deb_no_iptables_service python3-test-suite.diff no-python-user.diff python-3.9.patch +roundcube.diff From d422bceb0efb04b8a02c4378c7f9891e51682832 Mon Sep 17 00:00:00 2001 From: Sylvestre Ledru Date: Thu, 26 Nov 2020 13:47:25 +0100 Subject: [PATCH 10/59] New upstream version 0.11.2 --- .github/workflows/main.yml | 66 + .travis.yml | 8 +- ChangeLog | 69 +- MANIFEST | 10 + config/action.d/abuseipdb.conf | 7 +- config/action.d/bsd-ipfw.conf | 5 +- config/action.d/cloudflare.conf | 19 +- config/action.d/firewallcmd-ipset.conf | 24 +- config/action.d/firewallcmd-multiport.conf | 4 +- config/action.d/firewallcmd-new.conf | 4 +- config/action.d/firewallcmd-rich-logging.conf | 30 +- config/action.d/firewallcmd-rich-rules.conf | 8 +- .../iptables-ipset-proto6-allports.conf | 22 +- config/action.d/iptables-ipset-proto6.conf | 22 +- config/action.d/nftables.conf | 2 +- config/action.d/nginx-block-map.conf | 6 +- config/action.d/shorewall-ipset-proto6.conf | 20 +- config/fail2ban.conf | 2 +- config/filter.d/apache-noscript.conf | 4 +- config/filter.d/bitwarden.conf | 9 +- config/filter.d/common.conf | 8 +- config/filter.d/courier-smtp.conf | 2 +- config/filter.d/dovecot.conf | 8 +- config/filter.d/gitlab.conf | 6 + config/filter.d/grafana.conf | 9 + config/filter.d/guacamole.conf | 50 +- config/filter.d/monit.conf | 8 +- config/filter.d/mysqld-auth.conf | 2 +- config/filter.d/phpmyadmin-syslog.conf | 2 +- config/filter.d/postfix.conf | 2 +- config/filter.d/proftpd.conf | 13 +- config/filter.d/roundcube-auth.conf | 2 +- config/filter.d/sendmail-auth.conf | 7 +- config/filter.d/sendmail-reject.conf | 13 +- config/filter.d/softethervpn.conf | 9 + config/filter.d/sshd.conf | 45 +- config/filter.d/traefik-auth.conf | 22 +- config/jail.conf | 59 +- debian/NEWS | 91 -- debian/README.Debian | 251 --- debian/TODO | 10 - debian/backports/00list.sarge-backports | 1 - debian/backports/nopycentral.patch | 40 - debian/changelog | 1405 ----------------- debian/control | 47 - debian/copyright | 31 - .../debian-files/jail.d_defaults-debian.conf | 2 - debian/docs | 3 - debian/fail2ban.default | 39 - debian/fail2ban.logrotate | 19 - debian/gbp.conf | 18 - ...use_stock_cfg-was-not-provided-while.patch | 25 - debian/patches/deb_init_paths | 13 - debian/patches/deb_manpages_reportbug | 30 - debian/patches/deb_no_iptables_service | 30 - debian/patches/deb_path_to_common | 22 - debian/patches/no-python-user.diff | 12 - debian/patches/python-3.9.patch | 74 - debian/patches/python3-test-suite.diff | 10 - debian/patches/roundcube.diff | 11 - debian/patches/series | 9 - debian/postinst | 98 -- debian/postrm | 52 - debian/preinst | 15 - debian/rules | 71 - debian/source/format | 1 - debian/upstream/metadata | 4 - debian/watch | 2 - fail2ban/client/actionreader.py | 21 +- fail2ban/client/configparserinc.py | 7 +- fail2ban/client/configreader.py | 79 +- fail2ban/client/csocket.py | 14 +- fail2ban/client/fail2banclient.py | 13 - fail2ban/client/fail2bancmdline.py | 58 +- fail2ban/client/fail2banregex.py | 247 +-- fail2ban/client/filterreader.py | 8 + fail2ban/client/jailreader.py | 7 +- fail2ban/helpers.py | 56 +- fail2ban/protocol.py | 4 + fail2ban/server/action.py | 45 +- fail2ban/server/actions.py | 92 +- fail2ban/server/banmanager.py | 44 +- fail2ban/server/database.py | 67 +- fail2ban/server/datedetector.py | 71 +- fail2ban/server/datetemplate.py | 21 +- fail2ban/server/failmanager.py | 24 +- fail2ban/server/failregex.py | 73 +- fail2ban/server/filter.py | 359 +++-- fail2ban/server/filtergamin.py | 3 +- fail2ban/server/filterpoll.py | 7 +- fail2ban/server/filterpyinotify.py | 18 +- fail2ban/server/filtersystemd.py | 39 +- fail2ban/server/ipdns.py | 13 +- fail2ban/server/jail.py | 10 + fail2ban/server/jailthread.py | 3 + fail2ban/server/mytime.py | 7 +- fail2ban/server/observer.py | 27 +- fail2ban/server/server.py | 70 +- fail2ban/server/strptime.py | 5 +- fail2ban/server/ticket.py | 39 +- fail2ban/server/transmitter.py | 14 +- fail2ban/server/utils.py | 9 +- fail2ban/tests/actionstestcase.py | 2 + fail2ban/tests/actiontestcase.py | 2 +- fail2ban/tests/banmanagertestcase.py | 15 + fail2ban/tests/clientreadertestcase.py | 76 +- .../tests/config/filter.d/checklogtype.conf | 31 + .../config/filter.d/checklogtype_test.conf | 12 + .../filter.d/zzz-sshd-obsolete-multiline.conf | 7 +- fail2ban/tests/config/jail.conf | 25 + fail2ban/tests/databasetestcase.py | 10 + fail2ban/tests/datedetectortestcase.py | 21 + fail2ban/tests/dummyjail.py | 13 +- fail2ban/tests/fail2banclienttestcase.py | 141 +- fail2ban/tests/fail2banregextestcase.py | 117 +- fail2ban/tests/files/filter.d/testcase02.conf | 12 + .../tests/files/filter.d/testcase02.local | 4 + fail2ban/tests/files/logs/apache-modsecurity | 3 + fail2ban/tests/files/logs/apache-noscript | 3 + fail2ban/tests/files/logs/bitwarden | 6 + fail2ban/tests/files/logs/courier-smtp | 6 +- fail2ban/tests/files/logs/dovecot | 13 + fail2ban/tests/files/logs/gitlab | 5 + fail2ban/tests/files/logs/grafana | 5 + fail2ban/tests/files/logs/guacamole | 5 + fail2ban/tests/files/logs/mysqld-auth | 4 + fail2ban/tests/files/logs/postfix | 5 + fail2ban/tests/files/logs/proftpd | 10 +- fail2ban/tests/files/logs/sendmail-auth | 5 + fail2ban/tests/files/logs/sendmail-reject | 4 + fail2ban/tests/files/logs/softethervpn | 7 + fail2ban/tests/files/logs/sshd | 35 +- fail2ban/tests/files/logs/sshd-journal | 18 +- fail2ban/tests/files/logs/traefik-auth | 17 + fail2ban/tests/files/logs/zzz-generic-example | 11 +- fail2ban/tests/filtertestcase.py | 183 ++- fail2ban/tests/misctestcase.py | 25 +- fail2ban/tests/observertestcase.py | 7 +- fail2ban/tests/samplestestcase.py | 110 +- fail2ban/tests/servertestcase.py | 92 +- fail2ban/tests/sockettestcase.py | 14 +- fail2ban/tests/tickettestcase.py | 28 +- fail2ban/tests/utils.py | 33 +- fail2ban/version.py | 2 +- files/fail2ban.service.in | 1 + man/fail2ban-client.1 | 29 +- man/fail2ban-python.1 | 2 +- man/fail2ban-regex.1 | 11 +- man/fail2ban-server.1 | 13 +- man/fail2ban-testcases.1 | 2 +- man/jail.conf.5 | 82 +- setup.py | 56 +- 152 files changed, 2503 insertions(+), 3455 deletions(-) create mode 100644 .github/workflows/main.yml create mode 100644 config/filter.d/gitlab.conf create mode 100644 config/filter.d/grafana.conf create mode 100644 config/filter.d/softethervpn.conf delete mode 100644 debian/NEWS delete mode 100644 debian/README.Debian delete mode 100644 debian/TODO delete mode 100644 debian/backports/00list.sarge-backports delete mode 100644 debian/backports/nopycentral.patch delete mode 100644 debian/changelog delete mode 100644 debian/control delete mode 100644 debian/copyright delete mode 100644 debian/debian-files/jail.d_defaults-debian.conf delete mode 100644 debian/docs delete mode 100644 debian/fail2ban.default delete mode 100644 debian/fail2ban.logrotate delete mode 100644 debian/gbp.conf delete mode 100644 debian/patches/0002-ENH-verify-that-use_stock_cfg-was-not-provided-while.patch delete mode 100644 debian/patches/deb_init_paths delete mode 100644 debian/patches/deb_manpages_reportbug delete mode 100644 debian/patches/deb_no_iptables_service delete mode 100644 debian/patches/deb_path_to_common delete mode 100644 debian/patches/no-python-user.diff delete mode 100644 debian/patches/python-3.9.patch delete mode 100644 debian/patches/python3-test-suite.diff delete mode 100644 debian/patches/roundcube.diff delete mode 100644 debian/patches/series delete mode 100755 debian/postinst delete mode 100755 debian/postrm delete mode 100755 debian/preinst delete mode 100755 debian/rules delete mode 100644 debian/source/format delete mode 100644 debian/upstream/metadata delete mode 100644 debian/watch create mode 100644 fail2ban/tests/config/filter.d/checklogtype.conf create mode 100644 fail2ban/tests/config/filter.d/checklogtype_test.conf create mode 100644 fail2ban/tests/files/filter.d/testcase02.conf create mode 100644 fail2ban/tests/files/filter.d/testcase02.local create mode 100644 fail2ban/tests/files/logs/gitlab create mode 100644 fail2ban/tests/files/logs/grafana create mode 100644 fail2ban/tests/files/logs/softethervpn diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 00000000..7a1d31df --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,66 @@ +name: CI + +# Controls when the action will run. Triggers the workflow on push or pull request +# events but only for the master branch +on: + push: + paths-ignore: + - 'doc/**' + - 'files/**' + - 'man/**' + pull_request: + paths-ignore: + - 'doc/**' + - 'files/**' + - 'man/**' + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + # This workflow contains a single job called "build" + build: + # The type of runner that the job will run on + runs-on: ubuntu-20.04 + strategy: + matrix: + python-version: [2.7, 3.5, 3.6, 3.7, 3.8, 3.9, pypy2, pypy3] + fail-fast: false + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it + - uses: actions/checkout@v2 + + - name: Set up Python + uses: actions/setup-python@v2 + with: + python-version: ${{ matrix.python-version }} + + - name: Python version + run: | + F2B_PY=$(python -c "import sys; print(sys.version)") + echo "Python: ${{ matrix.python-version }} -- $F2B_PY" + F2B_PY=${F2B_PY:0:1} + echo "Set F2B_PY=$F2B_PY" + echo "F2B_PY=$F2B_PY" >> $GITHUB_ENV + + - name: Install dependencies + run: | + python -m pip install --upgrade pip + if [[ "$F2B_PY" = 3 ]] && ! command -v 2to3x -v 2to3 > /dev/null; then + pip install 2to3 + fi + pip install systemd-python || echo 'systemd not available' + pip install pyinotify || echo 'inotify not available' + + - name: Before scripts + run: | + cd "$GITHUB_WORKSPACE" + # Manually execute 2to3 for now + if [[ "$F2B_PY" = 3 ]]; then echo "2to3 ..." && ./fail2ban-2to3; fi + # (debug) output current preferred encoding: + python -c 'import locale, sys; from fail2ban.helpers import PREFER_ENC; print(PREFER_ENC, locale.getpreferredencoding(), (sys.stdout and sys.stdout.encoding))' + + - name: Test suite + run: if [[ "$F2B_PY" = 2 ]]; then python setup.py test; else python bin/fail2ban-testcases --verbosity=2; fi + + #- name: Test initd scripts + # run: shellcheck -s bash -e SC1090,SC1091 files/debian-initd diff --git a/.travis.yml b/.travis.yml index 158cff99..064b678b 100644 --- a/.travis.yml +++ b/.travis.yml @@ -18,14 +18,14 @@ matrix: - python: 2.7 name: 2.7 (xenial) - python: pypy - dist: trusty - python: 3.3 dist: trusty - python: 3.4 - python: 3.5 - python: 3.6 - python: 3.7 - - python: 3.8-dev + - python: 3.8 + - python: 3.9-dev - python: pypy3.5 before_install: - echo "running under $TRAVIS_PYTHON_VERSION" @@ -69,8 +69,8 @@ script: - if [[ "$F2B_PY" = 3 ]]; then coverage run bin/fail2ban-testcases --verbosity=2; fi # Use $VENV_BIN (not python) or else sudo will always run the system's python (2.7) - sudo $VENV_BIN/pip install . - # Doc files should get installed on Travis under Linux (python >= 3.8 seem to use another path segment) - - if [[ $TRAVIS_PYTHON_VERSION < 3.8 ]]; then test -e /usr/share/doc/fail2ban/FILTERS; fi + # Doc files should get installed on Travis under Linux (some builds/python's seem to use another path segment) + - test -e /usr/share/doc/fail2ban/FILTERS && echo 'found' || echo 'not found' # Test initd script - shellcheck -s bash -e SC1090,SC1091 files/debian-initd after_success: diff --git a/ChangeLog b/ChangeLog index cc0c6608..5cec0e24 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,7 +6,7 @@ Fail2Ban: Changelog =================== -ver. 0.11.1 (2020/01/11) - this-is-the-way +ver. 0.11.2 (2020/11/23) - heal-the-world-with-security-tools ----------- ### Compatibility: @@ -37,6 +37,73 @@ ver. 0.11.1 (2020/01/11) - this-is-the-way - Since v0.10 fail2ban supports the matching of IPv6 addresses, but not all ban actions are IPv6-capable now. +### Fixes +* [stability] prevent race condition - no ban if filter (backend) is continuously busy if + too many messages will be found in log, e. g. initial scan of large log-file or journal (gh-2660) +* pyinotify-backend sporadically avoided initial scanning of log-file by start +* python 3.9 compatibility (and Travis CI support) +* restoring a large number (500+ depending on files ulimit) of current bans when using PyPy fixed +* manual ban is written to database, so can be restored by restart (gh-2647) +* `jail.conf`: don't specify `action` directly in jails (use `action_` or `banaction` instead) +* no mails-action added per default anymore (e. g. to allow that `action = %(action_mw)s` should be specified + per jail or in default section in jail.local), closes gh-2357 +* ensure we've unique action name per jail (also if parameter `actname` is not set but name deviates from standard name, gh-2686) +* don't use `%(banaction)s` interpolation because it can be complex value (containing `[...]` and/or quotes), + so would bother the action interpolation +* fixed type conversion in config readers (take place after all interpolations get ready), that allows to + specify typed parameters variable (as substitutions) as well as to supply it in other sections or as init parameters. +* `action.d/*-ipset*.conf`: several ipset actions fixed (no timeout per default anymore), so no discrepancy + between ipset and fail2ban (removal from ipset will be managed by fail2ban only, gh-2703) +* `action.d/cloudflare.conf`: fixed `actionunban` (considering new-line chars and optionally real json-parsing + with `jq`, gh-2140, gh-2656) +* `action.d/nftables.conf` (type=multiport only): fixed port range selector, replacing `:` with `-` (gh-2763) +* `action.d/firewallcmd-*.conf` (multiport only): fixed port range selector, replacing `:` with `-` (gh-2821) +* `action.d/bsd-ipfw.conf`: fixed selection of rule-no by large list or initial `lowest_rule_num` (gh-2836) +* `filter.d/common.conf`: avoid substitute of default values in related `lt_*` section, `__prefix_line` + should be interpolated in definition section (inside the filter-config, gh-2650) +* `filter.d/dovecot.conf`: + - add managesieve and submission support (gh-2795); + - accept messages with more verbose logging (gh-2573); +* `filter.d/courier-smtp.conf`: prefregex extended to consider port in log-message (gh-2697) +* `filter.d/traefik-auth.conf`: filter extended with parameter mode (`normal`, `ddos`, `aggressive`) to handle + the match of username differently (gh-2693): + - `normal`: matches 401 with supplied username only + - `ddos`: matches 401 without supplied username only + - `aggressive`: matches 401 and any variant (with and without username) +* `filter.d/sshd.conf`: normalizing of user pattern in all RE's, allowing empty user (gh-2749) + +### New Features and Enhancements +* fail2ban-regex: + - speedup formatted output (bypass unneeded stats creation) + - extended with prefregex statistic + - more informative output for `datepattern` (e. g. set from filter) - pattern : description +* parsing of action in jail-configs considers space between action-names as separator also + (previously only new-line was allowed), for example `action = a b` would specify 2 actions `a` and `b` +* new filter and jail for GitLab recognizing failed application logins (gh-2689) +* new filter and jail for Grafana recognizing failed application logins (gh-2855) +* new filter and jail for SoftEtherVPN recognizing failed application logins (gh-2723) +* `filter.d/guacamole.conf` extended with `logging` parameter to follow webapp-logging if it's configured (gh-2631) +* `filter.d/bitwarden.conf` enhanced to support syslog (gh-2778) +* introduced new prefix `{UNB}` for `datepattern` to disable word boundaries in regex; +* datetemplate: improved anchor detection for capturing groups `(^...)`; +* datepattern: improved handling with wrong recognized timestamps (timezones, no datepattern, etc) + as well as some warnings signaling user about invalid pattern or zone (gh-2814): + - filter gets mode in-operation, which gets activated if filter starts processing of new messages; + in this mode a timestamp read from log-line that appeared recently (not an old line), deviating too much + from now (up too 24h), will be considered as now (assuming a timezone issue), so could avoid unexpected + bypass of failure (previously exceeding `findtime`); + - better interaction with non-matching optional datepattern or invalid timestamps; + - implements special datepattern `{NONE}` - allow to find failures totally without date-time in log messages, + whereas filter will use now as timestamp (gh-2802) +* performance optimization of `datepattern` (better search algorithm in datedetector, especially for single template); +* fail2ban-client: extended to unban IP range(s) by subnet (CIDR/mask) or hostname (DNS), gh-2791; +* extended capturing of alternate tags in filter, allowing combine of multiple groups to single tuple token with new tag + prefix `` with all value of `` tags (gh-2755) + + +ver. 0.11.1 (2020/01/11) - this-is-the-way +----------- + ### Fixes * purge database will be executed now (within observer). * restoring currently banned ip after service restart fixed diff --git a/MANIFEST b/MANIFEST index 3974184c..703ed807 100644 --- a/MANIFEST +++ b/MANIFEST @@ -100,6 +100,8 @@ config/filter.d/exim.conf config/filter.d/exim-spam.conf config/filter.d/freeswitch.conf config/filter.d/froxlor-auth.conf +config/filter.d/gitlab.conf +config/filter.d/grafana.conf config/filter.d/groupoffice.conf config/filter.d/gssftpd.conf config/filter.d/guacamole.conf @@ -139,6 +141,7 @@ config/filter.d/sendmail-auth.conf config/filter.d/sendmail-reject.conf config/filter.d/sieve.conf config/filter.d/slapd.conf +config/filter.d/softethervpn.conf config/filter.d/sogo-auth.conf config/filter.d/solid-pop3d.conf config/filter.d/squid.conf @@ -227,6 +230,8 @@ fail2ban/tests/clientreadertestcase.py fail2ban/tests/config/action.d/action.conf fail2ban/tests/config/action.d/brokenaction.conf fail2ban/tests/config/fail2ban.conf +fail2ban/tests/config/filter.d/checklogtype.conf +fail2ban/tests/config/filter.d/checklogtype_test.conf fail2ban/tests/config/filter.d/simple.conf fail2ban/tests/config/filter.d/test.conf fail2ban/tests/config/filter.d/test.local @@ -265,6 +270,8 @@ fail2ban/tests/files/database_v1.db fail2ban/tests/files/database_v2.db fail2ban/tests/files/filter.d/substition.conf fail2ban/tests/files/filter.d/testcase01.conf +fail2ban/tests/files/filter.d/testcase02.conf +fail2ban/tests/files/filter.d/testcase02.local fail2ban/tests/files/filter.d/testcase-common.conf fail2ban/tests/files/ignorecommand.py fail2ban/tests/files/logs/3proxy @@ -299,6 +306,8 @@ fail2ban/tests/files/logs/exim fail2ban/tests/files/logs/exim-spam fail2ban/tests/files/logs/freeswitch fail2ban/tests/files/logs/froxlor-auth +fail2ban/tests/files/logs/gitlab +fail2ban/tests/files/logs/grafana fail2ban/tests/files/logs/groupoffice fail2ban/tests/files/logs/gssftpd fail2ban/tests/files/logs/guacamole @@ -336,6 +345,7 @@ fail2ban/tests/files/logs/sendmail-auth fail2ban/tests/files/logs/sendmail-reject fail2ban/tests/files/logs/sieve fail2ban/tests/files/logs/slapd +fail2ban/tests/files/logs/softethervpn fail2ban/tests/files/logs/sogo-auth fail2ban/tests/files/logs/solid-pop3d fail2ban/tests/files/logs/squid diff --git a/config/action.d/abuseipdb.conf b/config/action.d/abuseipdb.conf index 010af5b5..ed958c86 100644 --- a/config/action.d/abuseipdb.conf +++ b/config/action.d/abuseipdb.conf @@ -21,14 +21,13 @@ # # Example, for ssh bruteforce (in section [sshd] of `jail.local`): # action = %(known/action)s -# %(action_abuseipdb)s[abuseipdb_apikey="my-api-key", abuseipdb_category="18,22"] +# abuseipdb[abuseipdb_apikey="my-api-key", abuseipdb_category="18,22"] # -# See below for catagories. +# See below for categories. # -# Original Ref: https://wiki.shaunc.com/wikka.php?wakka=ReportingToAbuseIPDBWithFail2Ban # Added to fail2ban by Andrew James Collett (ajcollett) -## abuseIPDB Catagories, `the abuseipdb_category` MUST be set in the jail.conf action call. +## abuseIPDB Categories, `the abuseipdb_category` MUST be set in the jail.conf action call. # Example, for ssh bruteforce: action = %(action_abuseipdb)s[abuseipdb_category="18,22"] # ID Title Description # 3 Fraud Orders diff --git a/config/action.d/bsd-ipfw.conf b/config/action.d/bsd-ipfw.conf index 5116b0d8..444192d3 100644 --- a/config/action.d/bsd-ipfw.conf +++ b/config/action.d/bsd-ipfw.conf @@ -14,7 +14,10 @@ # Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # -actionstart = ipfw show | fgrep -c -m 1 -s 'table()' > /dev/null 2>&1 || ( ipfw show | awk 'BEGIN { b = } { if ($1 < b) {} else if ($1 == b) { b = $1 + 1 } else { e = b } } END { if (e) exit e
else exit b }'; num=$?; ipfw -q add $num from table\(
\) to me ; echo $num > "" ) +actionstart = ipfw show | fgrep -c -m 1 -s 'table(
)' > /dev/null 2>&1 || ( + num=$(ipfw show | awk 'BEGIN { b = } { if ($1 == b) { b = $1 + 1 } } END { print b }'); + ipfw -q add "$num" from table\(
\) to me ; echo "$num" > "" + ) # Option: actionstop diff --git a/config/action.d/cloudflare.conf b/config/action.d/cloudflare.conf index 1c48a37f..361cb177 100644 --- a/config/action.d/cloudflare.conf +++ b/config/action.d/cloudflare.conf @@ -5,7 +5,7 @@ # # Please set jail.local's permission to 640 because it contains your CF API key. # -# This action depends on curl. +# This action depends on curl (and optionally jq). # Referenced from http://www.normyee.net/blog/2012/02/02/adding-cloudflare-support-to-fail2ban by NORM YEE # # To get your CloudFlare API Key: https://www.cloudflare.com/a/account/my-account @@ -43,9 +43,9 @@ actioncheck = # API v1 #actionban = curl -s -o /dev/null https://www.cloudflare.com/api_json.html -d 'a=ban' -d 'tkn=' -d 'email=' -d 'key=' # API v4 -actionban = curl -s -o /dev/null -X POST -H 'X-Auth-Email: ' -H 'X-Auth-Key: ' \ - -H 'Content-Type: application/json' -d '{ "mode": "block", "configuration": { "target": "ip", "value": "" } }' \ - https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules +actionban = curl -s -o /dev/null -X POST <_cf_api_prms> \ + -d '{"mode":"block","configuration":{"target":"ip","value":""},"notes":"Fail2Ban "}' \ + <_cf_api_url> # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -58,9 +58,14 @@ actionban = curl -s -o /dev/null -X POST -H 'X-Auth-Email: ' -H 'X-Auth- # API v1 #actionunban = curl -s -o /dev/null https://www.cloudflare.com/api_json.html -d 'a=nul' -d 'tkn=' -d 'email=' -d 'key=' # API v4 -actionunban = curl -s -o /dev/null -X DELETE -H 'X-Auth-Email: ' -H 'X-Auth-Key: ' \ - https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules/$(curl -s -X GET -H 'X-Auth-Email: ' -H 'X-Auth-Key: ' \ - 'https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules?mode=block&configuration_target=ip&configuration_value=&page=1&per_page=1' | cut -d'"' -f6) +actionunban = id=$(curl -s -X GET <_cf_api_prms> \ + "<_cf_api_url>?mode=block&configuration_target=ip&configuration_value=&page=1&per_page=1¬es=Fail2Ban%%20" \ + | { jq -r '.result[0].id' 2>/dev/null || tr -d '\n' | sed -nE 's/^.*"result"\s*:\s*\[\s*\{\s*"id"\s*:\s*"([^"]+)".*$/\1/p'; }) + if [ -z "$id" ]; then echo ": id for cannot be found"; exit 0; fi; + curl -s -o /dev/null -X DELETE <_cf_api_prms> "<_cf_api_url>/$id" + +_cf_api_url = https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules +_cf_api_prms = -H 'X-Auth-Email: ' -H 'X-Auth-Key: ' -H 'Content-Type: application/json' [Init] diff --git a/config/action.d/firewallcmd-ipset.conf b/config/action.d/firewallcmd-ipset.conf index a1065224..c89a0243 100644 --- a/config/action.d/firewallcmd-ipset.conf +++ b/config/action.d/firewallcmd-ipset.conf @@ -18,7 +18,7 @@ before = firewallcmd-common.conf [Definition] -actionstart = ipset create hash:ip timeout +actionstart = ipset create hash:ip timeout firewall-cmd --direct --add-rule filter 0 -m set --match-set src -j actionflush = ipset flush @@ -27,9 +27,9 @@ actionstop = firewall-cmd --direct --remove-rule filter 0 ipset destroy -actionban = ipset add timeout -exist +actionban = ipset add timeout -exist -actionprolong = %(actionban)s +# actionprolong = %(actionban)s actionunban = ipset del -exist @@ -42,11 +42,19 @@ actionunban = ipset del -exist # chain = INPUT_direct -# Option: default-timeout +# Option: default-ipsettime # Notes: specifies default timeout in seconds (handled default ipset timeout only) -# Values: [ NUM ] Default: 600 +# Values: [ NUM ] Default: 0 (no timeout, managed by fail2ban by unban) +default-ipsettime = 0 -default-timeout = 600 +# Option: ipsettime +# Notes: specifies ticket timeout (handled ipset timeout only) +# Values: [ NUM ] Default: 0 (managed by fail2ban by unban) +ipsettime = 0 + +# expresion to caclulate timeout from bantime, example: +# banaction = %(known/banaction)s[ipsettime=''] +timeout-bantime = $([ "" -le 2147483 ] && echo "" || echo 0) # Option: actiontype # Notes.: defines additions to the blocking rule @@ -63,7 +71,7 @@ allports = -p # Option: multiport # Notes.: addition to block access only to specific ports # Usage.: use in jail config: banaction = firewallcmd-ipset[actiontype=] -multiport = -p -m multiport --dports +multiport = -p -m multiport --dports "$(echo '' | sed s/:/-/g)" ipmset = f2b- familyopt = @@ -71,7 +79,7 @@ familyopt = [Init?family=inet6] ipmset = f2b-6 -familyopt = family inet6 +familyopt = family inet6 # DEV NOTES: diff --git a/config/action.d/firewallcmd-multiport.conf b/config/action.d/firewallcmd-multiport.conf index 81540e5b..0c401f1b 100644 --- a/config/action.d/firewallcmd-multiport.conf +++ b/config/action.d/firewallcmd-multiport.conf @@ -11,9 +11,9 @@ before = firewallcmd-common.conf actionstart = firewall-cmd --direct --add-chain filter f2b- firewall-cmd --direct --add-rule filter f2b- 1000 -j RETURN - firewall-cmd --direct --add-rule filter 0 -m conntrack --ctstate NEW -p -m multiport --dports -j f2b- + firewall-cmd --direct --add-rule filter 0 -m conntrack --ctstate NEW -p -m multiport --dports "$(echo '' | sed s/:/-/g)" -j f2b- -actionstop = firewall-cmd --direct --remove-rule filter 0 -m conntrack --ctstate NEW -p -m multiport --dports -j f2b- +actionstop = firewall-cmd --direct --remove-rule filter 0 -m conntrack --ctstate NEW -p -m multiport --dports "$(echo '' | sed s/:/-/g)" -j f2b- firewall-cmd --direct --remove-rules filter f2b- firewall-cmd --direct --remove-chain filter f2b- diff --git a/config/action.d/firewallcmd-new.conf b/config/action.d/firewallcmd-new.conf index b06f5ccd..7b08603c 100644 --- a/config/action.d/firewallcmd-new.conf +++ b/config/action.d/firewallcmd-new.conf @@ -10,9 +10,9 @@ before = firewallcmd-common.conf actionstart = firewall-cmd --direct --add-chain filter f2b- firewall-cmd --direct --add-rule filter f2b- 1000 -j RETURN - firewall-cmd --direct --add-rule filter 0 -m state --state NEW -p -m multiport --dports -j f2b- + firewall-cmd --direct --add-rule filter 0 -m state --state NEW -p -m multiport --dports "$(echo '' | sed s/:/-/g)" -j f2b- -actionstop = firewall-cmd --direct --remove-rule filter 0 -m state --state NEW -p -m multiport --dports -j f2b- +actionstop = firewall-cmd --direct --remove-rule filter 0 -m state --state NEW -p -m multiport --dports "$(echo '' | sed s/:/-/g)" -j f2b- firewall-cmd --direct --remove-rules filter f2b- firewall-cmd --direct --remove-chain filter f2b- diff --git a/config/action.d/firewallcmd-rich-logging.conf b/config/action.d/firewallcmd-rich-logging.conf index badfee83..21e45087 100644 --- a/config/action.d/firewallcmd-rich-logging.conf +++ b/config/action.d/firewallcmd-rich-logging.conf @@ -1,6 +1,6 @@ # Fail2Ban configuration file # -# Author: Donald Yandt +# Authors: Donald Yandt, Sergey G. Brester # # Because of the rich rule commands requires firewalld-0.3.1+ # This action uses firewalld rich-rules which gives you a cleaner iptables since it stores rules according to zones and not @@ -10,36 +10,15 @@ # # If you use the --permanent rule you get a xml file in /etc/firewalld/zones/.xml that can be shared and parsed easliy # -# Example commands to view rules: -# firewall-cmd [--zone=] --list-rich-rules -# firewall-cmd [--zone=] --list-all -# firewall-cmd [--zone=zone] --query-rich-rule='rule' +# This is an derivative of firewallcmd-rich-rules.conf, see there for details and other parameters. [INCLUDES] -before = firewallcmd-common.conf +before = firewallcmd-rich-rules.conf [Definition] -actionstart = - -actionstop = - -actioncheck = - -# you can also use zones and/or service names. -# -# zone example: -# firewall-cmd --zone= --add-rich-rule="rule family='' source address='' port port='' protocol='' log prefix='f2b-' level='' limit value='/m' " -# -# service name example: -# firewall-cmd --zone= --add-rich-rule="rule family='' source address='' service name='' log prefix='f2b-' level='' limit value='/m' " -# -# Because rich rules can only handle single or a range of ports we must split ports and execute the command for each port. Ports can be single and ranges separated by a comma or space for an example: http, https, 22-60, 18 smtp - -actionban = ports=""; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='' source address='' port port='$p' protocol='' log prefix='f2b-' level='' limit value='/m' "; done - -actionunban = ports=""; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='' source address='' port port='$p' protocol='' log prefix='f2b-' level='' limit value='/m' "; done +rich-suffix = log prefix='f2b-' level='' limit value='/m' [Init] @@ -48,4 +27,3 @@ level = info # log rate per minute rate = 1 - diff --git a/config/action.d/firewallcmd-rich-rules.conf b/config/action.d/firewallcmd-rich-rules.conf index bed71797..803d7d12 100644 --- a/config/action.d/firewallcmd-rich-rules.conf +++ b/config/action.d/firewallcmd-rich-rules.conf @@ -35,8 +35,10 @@ actioncheck = # # Because rich rules can only handle single or a range of ports we must split ports and execute the command for each port. Ports can be single and ranges separated by a comma or space for an example: http, https, 22-60, 18 smtp -actionban = ports=""; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='' source address='' port port='$p' protocol='' "; done +fwcmd_rich_rule = rule family='' source address='' port port='$p' protocol='' %(rich-suffix)s + +actionban = ports="$(echo '' | sed s/:/-/g)"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="%(fwcmd_rich_rule)s"; done -actionunban = ports=""; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='' source address='' port port='$p' protocol='' "; done - +actionunban = ports="$(echo '' | sed s/:/-/g)"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="%(fwcmd_rich_rule)s"; done +rich-suffix = \ No newline at end of file diff --git a/config/action.d/iptables-ipset-proto6-allports.conf b/config/action.d/iptables-ipset-proto6-allports.conf index c851233c..67d7947b 100644 --- a/config/action.d/iptables-ipset-proto6-allports.conf +++ b/config/action.d/iptables-ipset-proto6-allports.conf @@ -26,7 +26,7 @@ before = iptables-common.conf # Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # -actionstart = ipset create hash:ip timeout +actionstart = ipset create hash:ip timeout -I -m set --match-set src -j # Option: actionflush @@ -49,9 +49,9 @@ actionstop = -D -m set --match-set src -j timeout -exist +actionban = ipset add timeout -exist -actionprolong = %(actionban)s +# actionprolong = %(actionban)s # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -63,11 +63,19 @@ actionunban = ipset del -exist [Init] -# Option: default-timeout +# Option: default-ipsettime # Notes: specifies default timeout in seconds (handled default ipset timeout only) -# Values: [ NUM ] Default: 600 +# Values: [ NUM ] Default: 0 (no timeout, managed by fail2ban by unban) +default-ipsettime = 0 -default-timeout = 600 +# Option: ipsettime +# Notes: specifies ticket timeout (handled ipset timeout only) +# Values: [ NUM ] Default: 0 (managed by fail2ban by unban) +ipsettime = 0 + +# expresion to caclulate timeout from bantime, example: +# banaction = %(known/banaction)s[ipsettime=''] +timeout-bantime = $([ "" -le 2147483 ] && echo "" || echo 0) ipmset = f2b- familyopt = @@ -76,4 +84,4 @@ familyopt = [Init?family=inet6] ipmset = f2b-6 -familyopt = family inet6 +familyopt = family inet6 diff --git a/config/action.d/iptables-ipset-proto6.conf b/config/action.d/iptables-ipset-proto6.conf index 12c3ddd6..87601027 100644 --- a/config/action.d/iptables-ipset-proto6.conf +++ b/config/action.d/iptables-ipset-proto6.conf @@ -26,7 +26,7 @@ before = iptables-common.conf # Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # -actionstart = ipset create hash:ip timeout +actionstart = ipset create hash:ip timeout -I -p -m multiport --dports -m set --match-set src -j # Option: actionflush @@ -49,9 +49,9 @@ actionstop = -D -p -m multiport --dports -m # Tags: See jail.conf(5) man page # Values: CMD # -actionban = ipset add timeout -exist +actionban = ipset add timeout -exist -actionprolong = %(actionban)s +# actionprolong = %(actionban)s # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -63,11 +63,19 @@ actionunban = ipset del -exist [Init] -# Option: default-timeout +# Option: default-ipsettime # Notes: specifies default timeout in seconds (handled default ipset timeout only) -# Values: [ NUM ] Default: 600 +# Values: [ NUM ] Default: 0 (no timeout, managed by fail2ban by unban) +default-ipsettime = 0 -default-timeout = 600 +# Option: ipsettime +# Notes: specifies ticket timeout (handled ipset timeout only) +# Values: [ NUM ] Default: 0 (managed by fail2ban by unban) +ipsettime = 0 + +# expresion to caclulate timeout from bantime, example: +# banaction = %(known/banaction)s[ipsettime=''] +timeout-bantime = $([ "" -le 2147483 ] && echo "" || echo 0) ipmset = f2b- familyopt = @@ -76,4 +84,4 @@ familyopt = [Init?family=inet6] ipmset = f2b-6 -familyopt = family inet6 +familyopt = family inet6 diff --git a/config/action.d/nftables.conf b/config/action.d/nftables.conf index c1fb8550..77cf3661 100644 --- a/config/action.d/nftables.conf +++ b/config/action.d/nftables.conf @@ -34,7 +34,7 @@ type = multiport rule_match-custom = rule_match-allports = meta l4proto \{ \} -rule_match-multiport = $proto dport \{ \} +rule_match-multiport = $proto dport \{ $(echo '' | sed s/:/-/g) \} match = > # Option: rule_stat diff --git a/config/action.d/nginx-block-map.conf b/config/action.d/nginx-block-map.conf index 0b6aa0ad..ee702907 100644 --- a/config/action.d/nginx-block-map.conf +++ b/config/action.d/nginx-block-map.conf @@ -103,6 +103,8 @@ actionstop = %(actionflush)s actioncheck = -actionban = echo "\\\\ 1;" >> '%(blck_lst_file)s'; %(blck_lst_reload)s +_echo_blck_row = printf '\%%s 1;\n' "" -actionunban = id=$(echo "" | sed -e 's/[]\/$*.^|[]/\\&/g'); sed -i "/^\\\\$id 1;$/d" %(blck_lst_file)s; %(blck_lst_reload)s +actionban = %(_echo_blck_row)s >> '%(blck_lst_file)s'; %(blck_lst_reload)s + +actionunban = id=$(%(_echo_blck_row)s | sed -e 's/[]\/$*.^|[]/\\&/g'); sed -i "/^$id$/d" %(blck_lst_file)s; %(blck_lst_reload)s diff --git a/config/action.d/shorewall-ipset-proto6.conf b/config/action.d/shorewall-ipset-proto6.conf index 45be0c0a..eacb53d9 100644 --- a/config/action.d/shorewall-ipset-proto6.conf +++ b/config/action.d/shorewall-ipset-proto6.conf @@ -51,7 +51,7 @@ # Values: CMD # actionstart = if ! ipset -quiet -name list f2b- >/dev/null; - then ipset -quiet -exist create f2b- hash:ip timeout ; + then ipset -quiet -exist create f2b- hash:ip timeout ; fi # Option: actionstop @@ -66,9 +66,9 @@ actionstop = ipset flush f2b- # Tags: See jail.conf(5) man page # Values: CMD # -actionban = ipset add f2b- timeout -exist +actionban = ipset add f2b- timeout -exist -actionprolong = %(actionban)s +# actionprolong = %(actionban)s # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -78,8 +78,16 @@ actionprolong = %(actionban)s # actionunban = ipset del f2b- -exist -# Option: default-timeout +# Option: default-ipsettime # Notes: specifies default timeout in seconds (handled default ipset timeout only) -# Values: [ NUM ] Default: 600 +# Values: [ NUM ] Default: 0 (no timeout, managed by fail2ban by unban) +default-ipsettime = 0 -default-timeout = 600 +# Option: ipsettime +# Notes: specifies ticket timeout (handled ipset timeout only) +# Values: [ NUM ] Default: 0 (managed by fail2ban by unban) +ipsettime = 0 + +# expresion to caclulate timeout from bantime, example: +# banaction = %(known/banaction)s[ipsettime=''] +timeout-bantime = $([ "" -le 2147483 ] && echo "" || echo 0) diff --git a/config/fail2ban.conf b/config/fail2ban.conf index ba0e9204..f3867839 100644 --- a/config/fail2ban.conf +++ b/config/fail2ban.conf @@ -19,7 +19,7 @@ # NOTICE # INFO # DEBUG -# Values: [ LEVEL ] Default: ERROR +# Values: [ LEVEL ] Default: INFO # loglevel = INFO diff --git a/config/filter.d/apache-noscript.conf b/config/filter.d/apache-noscript.conf index 32991cba..dd9452a9 100644 --- a/config/filter.d/apache-noscript.conf +++ b/config/filter.d/apache-noscript.conf @@ -17,9 +17,9 @@ before = apache-common.conf [Definition] -script = /\S*(?:php(?:[45]|[.-]cgi)?|\.asp|\.exe|\.pl) +script = /\S*(?:php(?:[45]|[.-]cgi)?|\.asp|\.exe|\.pl|\bcgi-bin/) -prefregex = ^%(_apache_error_client)s (?:AH0(?:01(?:28|30)|1(?:264|071)): )?(?:(?:[Ff]ile|script|[Gg]ot) ).+$ +prefregex = ^%(_apache_error_client)s (?:AH0(?:01(?:28|30)|1(?:264|071)|2811): )?(?:(?:[Ff]ile|script|[Gg]ot) ).+$ failregex = ^(?:does not exist|not found or unable to stat):